yes here are the locations: •Configuration logs: ccmadmin: Only on the node where admin configures sso. /var/log/active/tomcat/logs/ccmadmin/log4j/ccmadmin*.log Backend: On all the nodes in the cluster /var/log/active/platform/logs/ssoApp*.log •SAML Request/Response processing /var/log/active/tomcat/logs/ssosp/log4j/ssosp* Thanks Sarthak
... View more

Ok. In that case we will need to have a look at the SAML/SSO logs and the mozilla packet traces to check which point is it failing on. If you are using Mozilla can you quickly download a plugin called SAML tracer and then run the test again with SAML tracer enabled. This will tell us where exactly does the request bounce from. Regards Sarthak
... View more

Can you send a normal Authentication post query to the AD from a PC and check if that works. I just checked seems like the URL got disabled. You can view the installation videos here: https://techzone.cisco.com/t5/Other-CUCM-Applications/CUCM-10-x-SAML-SSO-with-ADFS2-0/ta-p/466577 thanks sarthak
... View more

HI Sriram You donot need to add AD as an account store that should happen when you ran the federation Wizard. Have you ensured that the user that you are using is a CCM Admin and a CCM Super User as well? Thanks Sarthak
... View more

Hi Amit sorry for the delayed response. if you are still running into it just copy your claim rule to the textpad and remove all the ; and replace them with ". this should get you going. thanks sarthak
... View more

Hi Amit There is no limit to number of admin accounts. You can have all your AD imported users as admins if you wish to. Yes it is very much possible for IMP and CUC. You have to follow the same steps for them. Unfortunately for UCCX this is not yet available.
... View more

This video contains the Installation steps for ADFS 2.0 on a windows 2008R2 server. For the rest of the integration steps of ADFS and CUCM 10.x for SAML SSO please refer to the below link: https://supportforums.cisco.com/video/12155556/cucm-10x-samlsso-adfs20
... View more

Introduction Cisco provides many services in different form. As an end user, I want to sign on once for all of my Cisco Services. I want to find and manage my contacts from any of my Cisco application and devices, leveraging all possible sources (Corporate Directory, Outlook, Mobile contacts, Facebook, LinkedIn, History) and have them rendered in a common and consistent way which provides me with the information I need to know their availability and how best to contact them. Singlo Sign On using SAML basically targets at this requirement. Through SAML/SSO we provide the baility to log into multiple devices through a common account and authorization identity called the IDP. The overall objective of this work is to provide a scalable and standards based Single Sign On mechanism for our Unified Communications products. Single Sign On provides for a better user experience as the user needs to enter their authentication credentials only once for access to different UC services. In order to create such solution, common Identity Infrastructure could be provided and has been agreed to take up on. As a outcome of this, Common Identity Stack Architecture (CIS) has been proposed and decided to have following functionalities: o Common Identity/Directory Source o SAML Base authentication o SSO via SAML o OAuth base Authorization So here is how the flow works when using SAML/SSO with CUCM10.x and ADFS2.0 1. We create an SAML integration between CUCM10.x and ADFS. 2. When you try to log on to the CUCM admin page or user page the request is redirected to the IDP (adfs). 3. The IDP then prompts to enter the credentials for login. 4. Once the credentials are authorized it redirects us back to CUCM. Prerequisites In order to configure SAML/SSO with CUCM 10.x and ADFS2.0 as the IDP following are the prerequisites: DNS server and DNS enabled in the network. LDAP integration of CUCM with an Active Directory server. An Active Directory server running Active Directory Federation Service version 2.0 (adfs2.0). Components Used Windows 2008R2 server with Active Directory and domain controller roles. Active Directory Federation service version 2.0 on one of the Active Directories within the domain. CUCM version 10.x. DNS server. Configure Attached with the dosument is a video which talks about configuring SAML/SSO with cucm 10.x and adfs2.0. The first video talks about installation of ADFS on a windows 2008 R2 server with AD. The second video contains the integration steps. ADFS2.0 installation video can be found on the following URL: https://supportforums.cisco.com/video/12155571/cucm-10x-samlsso-adfs20-installation Also attached is a small troubleshooting guide to help you find the Claim Rules. A configuration guide pdf is attached as well. The call manager image used in the video is CUCM 10.0.0.98000-309.
... View more

Overview Sip normalization is a method used to modify sip messages sent from the call manager out the sip trunk. Before call manager 8.5 if we had to modify the sip messages the same had to be done by using a CUBE and appliying sip profiles on dial peers. It is normally required in a scenario when you are integrated with a third party sip server and they have specific requirements in terms of information coming from the cisco side. Topology Cisco call manager (8.5 and above) ---> sip trunk -----> third party sip server Normalization Scripts Sip normalization is a C script which enables us to change the various headers fields of a SIP messgae such as invite , from to, 181 etc. We create a recusrive function call, and enter the queries in a if else format. Following are the steps to apply a normalization scrip on calls: On the call manager admin page go to device Navigate to device settings and select sip mormalization script under it. Click on add new. Name the scipt something according to your naming conventions. Below is a example of a default script where in we need to change the from feild in the SIP invite message and add "user=phone" tag. Default Invite INVITE sip:6233284618@0.0.0.0:5060 SIP/2.0 Via: SIP/2.0/UDP 0.0.0.0:5060;branch=z9hG4bK2938b58562 From: <sip:5555@0.0.0.0>;tag=241~f88ceed7-4ccc-49aa-ad02-4534616cc344-29414802 To: <sip:6233284618@0.0.0.0> Date: Wed, 07 Mar 2012 02:14:07 GMT Call-ID: 36ac8700-f561c46f-1a-500a0ac@0.0.0.0 Supported: timer,resource-priority,replaces Min-SE: 1800 User-Agent: Cisco-CUCM8.5 Allow: INVITE, OPTIONS, INFO, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY CSeq: 101 INVITE Expires: 180 Allow-Events: presence Supported: X-cisco-srtp-fallback Supported: Geolocation Cisco-Guid: 0917276416-0000065536-0000000037-0083927212 Session-Expires: 1800 P-Asserted-Identity: <sip:5555@0.0.0.0> Remote-Party-ID: <sip:5555@0.0.0.0>;party=calling;screen=yes;privacy=off Contact: <sip:5555@0.0.0.0:5060> Max-Forwards: 70 Content-Length: 0 Modified Invite INVITE sip:4690717@0.0.0.0;user=phone SIP/2.0 Via: SIP/2.0/UDP 0.0.0.0:5060;branch=z9hG4bK380671373 From: 7024343344 <sip:7024343344@0.0.0.0;user=phone>;tag=00404d0102030a0a0a36-4950fca5 To: <sip:4690717@0.0.0.0;user=phone> Call-ID: 1996806959@0.0.0.0 CSeq: 2 INVITE Contact: <sip:7024343344@0.0.0.0;user=phone> Authorization: Digest username="476119065202", realm="BroadWorks", nonce="BroadWorksXgt37bop3Td0105nBW", uri="sip:4690717@0.0.0.0;user=phone", response="4a8491694347451bd28dd2b5c35bc1a8", algorithm=MD5, cnonce="702c5d07", qop=auth, nc=00000001 Max-Forwards: 70 User-Agent: HST-3000/6.0.0 Unsupported: 100rel Supported: resource-priority Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, NOTIFY, INFO Content-Type: application/sdp Content-Length: 133 As observed above we need to add a tag "user=phone" in the from message. Normalization Script M = {} function M.outbound_INVITE(msg) msg:addHeaderUriParameter("From", "user", "phone") end return M This script is a recursive C function call. We created a function M.outbound_INVITE(msg) which is for outbound calls and will affect the invite message. It will modify the from field to the desired results. After adding the script save the same. Go to the SIP trunk configured for out bound calls. Choose this script on the SIP trunk and then save it. Important Links Link for SIP normalization scripts: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/sip_tn/8_5_1/10-sip_transparency.html Hope this helpful.
... View more

just goto the BAT tool page and take a backup in terms of a CSV file. once you have the file on your desktop, open it up in excel and look for the DEVICE1. correct the MAC address on that. go back to the BAT tool and select edit and restore the CSV file. should fix your problem.
... View more

Potential problems : 1. When you are using exchange 2007 or 2010 it may such happen that when you try to access your voicemail messages using the TUI it says "You have no new messages", although you just left a message for yourself and you can see the same in your inbox using the OWA. 2. There would be no MWI notification for that message and on the SA page under messages for that user it will show the status as MWI light off which denotes no new messages. 3. Basically what is happening is that the message does get delievered to you mailbox but Unity is not being notified by the exchange server about that. An error such as the following would appear in the application log Search Folders Error Se Event Type: Error Event Source: CiscoUnity_MALEx Event Category: Error Event ID: 30020 Date: 11/29/2009 Time: 5:00:06 AM User: N/A Computer: xxxxxxx Description: An attempt to create a search-result folder for account cn=xxxxxxxx,cn=Recipients,ou=Main Campus,o=xxxxxxxxxxxxx System has failed. The MAPI subsystem returned the following error:80040115. This error does not necessarily show up every time. You will also find instances where the application log has no errors at all but the symptoms are the same as mentioned above. Background : Every time you press the messages button on your phone to access your voicemail box to retrieve messages,Unity goes back to exchange to request information about the user. This information is sent by exchange in a folder called the Cisco search folders. These folders contain information about total number of messages, total new messages, total saved messages and MWI status for the user. These folders are mostly stored in the cashe on the exchange side, and as Unity requests for the status they are sent over. These folders are also sent as notifications from exchange whenever a new message is left for a user, to update the MWI status. Solution: 1. There are two basic ways by which this can be done. One is the tool developed by cisco MBXClean.exe the other is MFCMAPI, the microsoft tool. MFCMAPI can be easily downloaded from the microsoft site MBXClean.exe is attached to this document as a .txt file. You can download the same and then change it back to a .exe. Let us first pick up MBXClean.Following is the proccess to recreate the search folders using this tool: 1. Obtain MBXClean.exe, a version of this patch is attached to this document or you can raise a case with TAC to get the same. 2. Extract the contents of this to a folder somewhere on the desktop or the commserver directory. 3. Create a list of all the affected users. Create a text file which contains all the subscribers' aliases(one on each line). To find a list of Exchange subscribers' aliases use the following SQL command in the query analyzer SELECT uid FROM Subscriber WHERE SubscriberType = 1; 4. Log on to the Unity server using the Unity Message store service account and open a cmd window or open a cmd window but run as Unity message store service account. Use this CMD window to run MBXClean.exe. and use the following switches: MBXClean.exe -r -s -i <inputfilename> where <inputfilename> is the file we created in step 3. 5. Restart Unity. Search folders for each subscriber will be rebuilt next time they try to check messages. 6. NOTE:-- If MBXClean.exe seems to hang we need to stop Unity from the tray icon and re run MBXClean.exe with Unity stopped. Using MFCMAPI for the same procedure: 1. Download the latest version of MFCMAPI from the microsoft site on your Unity machine. 2. Log on to the Unity using Unity Message Store service account and open MFCMAPI or open MFCMAPI and run as Unity Message store service account. 3. Under the Session tab click on Log on and display store table. Select the unity messaging profile and click on ok. 4. At this point you are logged on to the exchange mailstore. Under MDB click on Open other user's malbox 5. Search for the affected user and click on ok. 6. Expand the Root folder and right click on Cisco Search Folders and hit delete. 7. Repeat steps 4 to 6 for all the affected users. 8. Restart Unity. Search folders for each subscriber will be rebuilt next time they try to check messages. **********CAUTION - READ BEFORE PROCEEDING********** Using MBXClean.exe for many users at a time will utilize a lot of CPU. It is advised this procedure be done duting a downtime since we also need to restart the server after performing these steps.Make sure you run these tools always using the Message store account and selecting the default Unity System profile.
... View more